When I was trying to understand the insecurity of UNIX passwords, I looked for simple password cracking software as an example. Sure, there was the famous Crack, but I found Hale's viper.pl more readable. I wanted to improve the code to measure and print performance and time estimates for brute force attacks, so I contacted Hale about my ideas including re-writing his program in 'C' for maximum speed.

I wanted to know how long it takes to check for every possible password combination on different computing platforms, for different character sets and for different password lengths. The results were highly interesting!

But first, we need to look into more details how passwords work and how they are generated. After that, writing a password cracker is not that hard. The basic design of a brute-force password cracker is a loop in which we continuously compute password hashes from incremented password strings of a generic character set - and compare the result to the real password hash until they match. Lets assume the password just contains lowercase letters from 'a' through 'z', we would start hashing and comparing:

'a', 'b', 'c', 'd'... 'w', 'x', 'y', 'z', then 'aa', 'ab', 'ac', 'ad' ... 'zw', 'zx', 'zy', 'zz', then 'aaa', 'aab', 'aac', 'aad' ... 'zzw', 'zzx', 'zzy', 'zzz' ... continuing to the maximum password length until we find the 'winning' combination. The faster it runs the better, because simple math tells us how many password string combinations we need to check. Using the example of a password with max. 8 characters (all lower case), we can calculate the total number of combinations (example for the 26 lowercase letters of the English alphabet):